ISO 27001 Control A.8.15: Logging and Monitoring
- Home
- Blog
Categories
Latest Post
ISO 14001 Internal Auditor Course
ISO 14001 Lead Implementer Course
ISO 9001 Internal Auditor Course
Understanding Information Classification in ISO 27001
In “peaceful” times, it’s easy to overlook, but when security incidents arise, you need to start by identifying what happened, where, and who caused the incident. This is why logs are essential, and why monitoring them is crucial. This is precisely what control A.8.15 in ISO 27001:2022 addresses.
ISO 27001 Requirements for Logging and Monitoring
Event Logging
Log Storage
Protection of Logs
Analysis of Logs
Why Are Logs Important?
Having a system without an event log is a significant mistake. It can even result in penalties for breaching regulations concerning personal data protection. Many countries require the registration of user identification accessing personal data. For regulations related to information security in your country, see this article about laws and regulations on information security and business continuity by country.
The Simple Idea
If an incident occurs, you need to determine:
What happened (time/date, details)
Who was involved
The origin and causes
For instance, authorities capture security camera recordings during a criminal act. Similarly, black boxes exist in airplanes, ships, and trains.
Prevent Fraud and Other Incidents
Logs are records about system access, incidents, user activities, etc. Reviewing logs regularly can help analyze trends or detect possible fraudulent activities before major incidents occur. For example, multiple failed attempts to access a critical system may indicate unauthorized access attempts. Firewall logs showing external connections can signal potential external attacks.
For more on handling security incidents, see this article about handling incidents according to ISO 27001 A.16.
The Role of Logs
Logs monitor the system, revealing what happens within information systems. They provide information about incident origins and help identify trends to avoid problems. Many applications offer logging functionality, some even active by default. This information is crucial in forensic analysis and can serve as evidence in legal proceedings.
ISO 27001 Requirements for Logging and Monitoring
Annex A of ISO 27001:2022 includes control A.8.15 Logging, addressing issues mentioned:
Event Logging
Register information about user access and actions (including administrators and operators), errors, events, etc., in information systems.
Log Storage
For multiple applications, centralize logs by configuring a syslog server (a standard for message logging operating over a network with a client-server structure).
Protection of Log Information
Logs must be protected from unauthorized removal or modification. An attacker gaining unauthorized system access may remove log information to erase evidence. Set rules permitting log modification only by authorized individuals and fortify system access control measures.
Log Analysis
Analyze logs regularly to ensure unusual behavior and errors are detected and investigated promptly.
Clock Synchronization (Control A.8.17)
Ensure all systems have synchronized time and date configurations. This synchronization simplifies traceability tests during incidents. Achieve automated synchronization with time servers (NTP servers, where “NTP” stands for Network Time Protocol).
Focus on the Most Sensitive Systems
Maintaining logs is crucial for monitoring systems and may be obligatory. However, logging everything can lead to capacity problems. Identify critical systems and limit logged information to user access, failures, errors, etc. Consider deleting outdated logs or storing them in backup systems. It’s vital to record logs but not necessary to store all logs indefinitely.
Conclusion
Logs are essential for monitoring systems, detecting issues, and ensuring compliance with regulations. By implementing ISO 27001 control A.8.15 effectively, you can enhance your organization’s security posture and respond efficiently to incidents.
